Secure Access® CLOUD is based on a reverse proxy cluster that sits in the cloud between unauthenticated and internet traffic the servers hosting the final resources (corporate web applications). It forces users to authenticate through Secure Access® CLOUD before the communication with the final web application is established. Only legitimate users and traffic are able to reach the server and therefore the attack surface for those applications is reduced drastically.
It is structured in a multi-layer architecture for greater modularisation, flexibility and scalability. The following diagram shows the different modules that make up the architecture.
The Unified Multistep Login protects the web applications located in the outermost layer (Frontend), the administration dashboard and the user panel. These three components are reachable from the internet.
The login process consists in a set of challenges that the user must solve to verify his identity. It is configurable by the administrative user in the dashboard.
The following diagram shows how a typical secure login process looks like in Secure Access® CLOUD:
This process is designed to avoid providing unnecessary information to malicious users trying to brute force their way into the platform. Even when a user fails one of the challenges (such as username or password) the next one is prompted and in the end the authentication will fail leaving the attacker unable to know which element of the process they failed.
The next layer (Backend) is where the logic is executed, and the platform data is stored. It consists of different modules that communicate with each other to offer all of the available features:
Authentication: Manages users, groups and permission schemas to grant access to registered domains and subdomains.
Two Factor Authentication: Handles the different 2 Factor authentication methods (TOTP and Push notifications).
SSL Certificates generation: Generates and manage renewal of certificates through the integration with the Let´s Encrypt platform.
Integration services: Are responsible for the interaction with external authentication providers to synchronise users and groups.
Data analysis engine: Analyses the data of the users including the traffic logs and authentication logs.
Storage: Saves the configuration data and logs of the platform
The last layer (Reverse Proxy Farm) is the intermediary between the final web applications and users on the Internet. It is an autoscaling infrastructure that increases and decreases the number of instances based on the current usage of the platform and balances the work load between the active instances. This layer also contains the Web Application Firewall (WAF) that follows a set of configurable rules to allow genuine requests to pass and blocks malicious requests from reaching the final web applications.
Secure Access® CLOUD has been developed using the most professional coding standards and strictest security controls. Secure configuration and exhaustive testing of all areas of the platform guarantee an optimal performance and ensure data security at all times. The main technologies used to implement Secure Access® CLOUD include:
To protect a web application with Secure Access® CLOUD, the public domains/subdomains of the web applications to be protected have to be redirected to the platform's reverse proxy farm (https://my.secureaccess.com). In this way, the requests initiated by the users will reach Secure Access® CLOUD and proceed to the process of identification of the user and the verification of their permissions. If the user had previously authenticated, the platform would redirect the request to the final web application and return the response to the user.
Unauthenticated users without an active session in Secure Access® CLOUD, will be redirected to the login page to start the authentication process. Once the user has completed all the authentication steps, they will be redirected again to the reverse proxies. The proxies will validate the active session and access permissions before directing them to the final web application. If the user possesses the permissions, requests will reach the final web application, otherwise they will be blocked by the platform.